Heads Up**W32.Sobig.F@mm

Hi Guys..

W32.Sobig.F@mm

This is currently a Cat 2 on Symantec (at 11:40UTC)

No full info.. check for the latest info On Symantec

From Sophos the following ..

Quote:

---

W32/Sobig-F is a worm that spreads via email and network shares.

W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself as an attachment to email addresses collected from various files on the victim's computer.

---

Cheers..

PAnda Software; gives this one a Amber Status - News here status at 13:22UTC

As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

Thanks!

Quote:

---

Originally posted here by thadbme
As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

Thanks!

---

Yea, same here - I've been watching the damn notifications all day long as this thing keeps knocking at my doors, trying to get in. I'm glad it's being blocked and I'm a little surprised that my network is receiving this much infected mail - at least with the same damn infection...

Question. Right now the relays are setup to strip all .pif extensions, and all .scr extensions, which keeps the virus from getting through, however the message still gets to the customer. So what I've done is block all of the subject headers that this virus uses.

Details
My details
Your details
Your application
Thank you!
Wicked screensaver
That movie


Now i have this setup to block all occurances of this using *'s. Think about those subject lines just for a second and you'll see the problem. Valid emails could be blocked, if it comes with this subject header. And since this bug spoofs the senders email address is there any other way to block it? If someone sends a valid email with those subjects they wont even know that it didnt make it through because the message is dropped.

Ideas??

Damn, this one is going crazy!

I've recieved 190+ of these on one single address! I've setup an auto reply to those emails using the subject as a filter. I replied informing them they have been infected and with a link to instructions on how to remove it from their system.

Hopefully people start updating their defs soon... I'm tired of these things already!

We've got a few guys that work here that, because of the nature of the business they are involved with, their email addresses are all over the public - those guys are getting absolutely slammed with this thing, but like I stated earlier, I've got the trusty firewall blocking it all, so no harm done....

3200+ and counting, how are you blocking these through the firewall? is it a local firewall or for the network? I'm curious, these are coming from who knows where because of the spoofed sender, frankly i'd rather live without all of the notifications. I think we've got the idea after the first 2000. Its mainly just an annoyance, but i've got a feeling this might be one of those that we'll have to live with for awile, according to Symantec it will stop on the 10th of September, atleast i'm hoping so!

Our mail servers have gotten 12,342 messages of all varients of the subject line. We are filtering the messages at the server level (both payload and subject line filters) via Exchange's management tool so the individual's mail store never gets the delivery. Needless to say, we're stripping out the virus with our enterprise AV solution long before it gets to the mail store.

It's amazing how many people out there don't actively update their AV scanner.

i'm using subject line filters to block them not payload, the individual never gets the mail message, however we receive notification of a violation and a drop message, i'm trying to figure out how to block this critter from ever touching our mail relays, i could always turn off logging due to the volume but if something else tries to make it through i'd like to be aware of it. Sounds like your getting hit pretty hard as well, are you getting the loads of notifications.

I guess my question is am i just going to have to live with this, or is there some clever and devious way that i could put a stop to it. via, figuring out who these are coming from (assuming its not from 100's of users, to possibly notify them of problem as mentioned earlier) Or just to get the message to stone cold turn it away, like it never saw it, to avoid getting 3000 more messages by this time tomorrow.

when are people going to learn not to open attachments unless they have been cleaned first...